Web to Database Connection Standard

Purpose:

This standard defines the appropriate methods of connecting a web application to a database.

Brief Description:

Connections from web pages and applications to databases are an important aspect of providing dynamic content to users. ITSO Web Services strives to maintain the integrity of its web servers and all systems with which they interact. To achieve this, certain principles of operation govern these connections.

Details:

Connections from web pages and applications to databases are an important aspect of providing dynamic content to users. The following principles apply to all database connections made from web pages and applications hosted on ITSO Web Services. systems.

  • ITSO Web Services supports connections to the following ITaP-administered databases:
    • Microsoft SQL Server
    • Oracle
    • mySQL
  • Connections to non-ITaP-administered databases are not supported.
  • Databases stored on web servers (including Microsoft Access and mySQL) are strictly prohibited.
  • Database connections must be encrypted when possible.
  • ITSO Web Services strongly recommends that open connection interfaces such as ODBC and JDBC be used to connect to databases whenever possible. With these interfaces, information such as the database server name and database name, and possibly the database login credentials, are stored in the system in a Data Source Name (DSN) managed by Web Services. If any of this information needs to change, Web Services can facilitate the change, coordinating with the appropriate DBAs as necessary. If database-specific interfaces are used instead, managing and coordinating this information becomes the responsibility of the developer.
  • Connections from web pages to databases use a connection string or parameter list passed to a function in the chosen programming language. In many cases, these connection strings or parameter lists will contain usernames and passwords used to authenticate to the database server. Because this information could inadvertently be made retrievable by a web user, this information should not appear anywhere in the web document tree. Upon request, we will provide a DATA directory specifically configured outside of the web document tree where this information may be stored and accessed by a site.s pages. In addition to the enhanced security provided, this also means that changes to this information can be made in one place (the DATA directory) instead of in numerous places in a site.s web pages.
  • Database passwords shall never be put in email, Remedy tickets, or any other written electronic communications in compliance with University policy (cite policy document here). When Web Services needs a database password from a developer (to establish a DSN, for example), we will arrange to speak with the developer on the phone or in person to exchange the information.
  • Web Services will not provide database password information to anyone. The developer must contact the DBA, Data Steward, or Database Owner for this information.
  • Database connections should use a separate account dedicated to web access. This account should have minimal privileges in the database.
  • Data Stewards and Database Owners are the authorizing contacts for connections from web applications to databases.

If the above principles conflict in any way with the policies and standards of Purdue University, the Data Steward, the Database Owner, or the Database Administrator, the stricter of the two shall prevail.